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Abstract — Formal semantics offers a complete and rigorous 
definition of a language. It is important to define different 
semantic models for a language and different models serve 
different purposes. Building equivalence between different se- 
mantic models of a language strengthen its formal foundation. 
This paper shows the derivation of denotational semantics from 
operational semantics of the language cCSP. The aim is to show 
the correspondence between operational and trace semantics. We 
extract traces from operational rules and use induction over 
traces to show the correspondence between the two semantics 
of cCSP. 

Index Terms — Compensating CSP, semantic relationship, trace 
semantics, operational semantics. 

I. Introduction 

A formal semantics offers a complete, and rigorous defi- 
nition of a language. Operational and denotational semantics 
are two well-known methods of assigning meaning to pro- 
gramming languages and both semantics are necessary for a 
complete description of the language. Denotational semantics 
associates an element of a semantic domain to each expression 
in the language and the semantic is compositional. Traces are 
one of the ways to define denotational semantics. A trace 
gives the global picture of the behaviour. The common way 
of defining operational semantics is to provide state transition 
systems for the language, where the transition system models 
the computation steps of expressions in the language and 
allows the formal analysis of the language. 

Compensating CSP (cSCP) O is a language defined to 
model long running business transactions within the frame- 
work of Hoare's CSP |2| process algebra. Business trans- 
actions need to deal with faults that can arise at any stage 
of the transactions. Compensation is defined in J3| as an 
action taken to recover from error in business transactions 
or cope with a change of plan. cCSP provides constructs for 
orchestration of compensations to model business transactions. 
With the introduction of the language, both traces [1| and 
operational [4| semantics have been defined. Both semantics 
have valuable non-overlapping application and we want to use 
them both. The key question is "How they are related?". 

This paper draws the correspondence of two different se- 
mantic representation of a language which strengthen the 
formal foundation of the language. In particular, the aim is 
to accomplish the unification between operational and deno- 
tational approach of cCSP. The unification is based on the 



approach where we use the transition rules from operational 
semantics to derive the traces and then show that these derived 
traces correspond to the original traces by using induction over 
the derived traces. Completing the derivation means that any 
of the presentations can be accepted as a primary definition of 
the meaning of the language and each of the definitions can 
even safely and consistently be used at different times and for 
different purposes. 

The reset of the paper is organised as follows. A brief 
overview of cCSP along with an example is given in SectionlHI 
The trace and the operational semantics of cCSP are outlined 
in Section [Hi] We describe the how we define and prove 
a relationship between the semantic models in Section [IV] 
We define theorems and supporting lemmas to establish the 
relationship for both standard and compensable processes. We 
outline some lessons from the experiment and then summarise 
some related work in Section [V] and Section [VI] respectively. 
We draw our conclusion in Section IVIII 



II. Compensating CSP 

The introduction of the cCSP language was inspired by 
two ideas: transaction processing features, and process algebra. 
Like standard CSP, processes in cCSP are modelled in terms of 
the atomic events they can engage in. The language provides 
operators that support sequencing, choice, parallel composition 
of processes. In order to support failed transaction, compen- 
sation operators are introduced. The processes are categorised 
into standard, and compensable processes. A standard process 
does not have any compensation, but compensation is part of 
a compensable process that is used to compensate a failed 
transaction. We use notations, such as, P,Q,.. to identify 
standard processes, and PP,QQ,.. to identify compensable 
processes. A subset of the original cCSP is considered in this 
paper, which includes most of the operators, is summarised in 
Fig.ffl 

The basic unit of the standard processes is an atomic event 
(A). The other operators are the sequential {P ; Q), and the 
parallel composition (P || Q), the choice operator (P □ Q), the 
interrupt handler (P [> Q), the empty process SKIP, raising an 
interrupt THROW, and yielding to an interrupt YIELD. A pro- 
cess that is ready to terminate is also willing to yield to an in- 
terrupt. In a parallel composition, throwing an interrupt by one 
process synchronises with yielding in another process. Yield 
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Standard Processes: Compensable Processes: 

P, Q ::= A (atomic event) PP, QQ ::— P -f- Q (compensation pair) 

P ; Q (sequential composition) | PP ; QQ 

P O Q (choice) j PP O QQ 

P || Q (parallel composition) | PP \\ QQ 

SKIP (normal termination) | SKIPP 

THROW (throw an interrupt) | THROWW 

YIELD (yield to an interrupt) | YIELDD 
P > Q (interrupt handler) 
[PP] (transaction block) 

Fig. 1. cCSP syntax 

points are inserted in a process through YIELD. For example, 
(P ; YIELD ; Q) is willing to yield to an interrupt in between 
the execution of P, and Q. The basic way of constructing a 
compensable process is through a compensation pair (P Q), 
which is constructed from two standard processes, where P 
is called the forward behaviour that executes during normal 
execution, and Q is called the associated compensation that 
is designed to compensate the effect of P when needed. The 
sequential composition of compensable processes is defined 
in such a way that the compensations of the completed tasks 
will be accumulated in reverse to the order of their original 
composition, whereas compensations from the compensable 
parallel processes will be placed in parallel. In this paper, 
we define only the asynchronous composition of processes, 
where processes interleave with each other during normal 
execution, and synchronise during termination. By enclosing 
a compensable process PP inside a transaction block [PP], 
we get a complete transaction and the transaction block itself 
is a standard process. Successful completion of PP represents 
successful completion of the block. But, when the forward 
behaviour of PP throws an interrupt, the compensations are 
executed inside the block, and the interrupt is not observable 
from outside of the block. SKIPP, THROWW, and YIELDD 
are the compensable counterpart of the corresponding standard 
processes and they are defined as follows: 

SKIPP = SKIP ~- SKIP, 
YIELDD = YIELD SKIP 
THROWW = THROW -r- SKIP 

To illustrate the use of cCSP, we present an example of 
a transaction for processing customer orders in a warehouse 
in FigfJ] The first step in the transaction is a compensation 
pair. The primary action of this pair is to accept the order and 
deduct the order quantity from the inventory database. The 
compensation action simply adds the order quantity back to 
the total in the inventory database. After an order is received 
from a customer, the order is packed for shipment, and a 
courier is booked to deliver the goods to the customer. The 
PackOrder process packs each of the items in the order in 
parallel. Each Packltem activity can be compensated by a 
corresponding Unpackltem. Simultaneously with the packing 
of the order, a credit check is performed on the customer. 
The credit check is performed in parallel because it normally 
succeeds, and in this normal case the company does not wish 
to delay the order unnecessarily. In the case that a credit check 
fails, an interrupt is thrown causing the transaction to stop its 



execution, with the courier possibly having been booked and 
possibly some of the items having being packed. In case of 
failure, the semantics of the transaction block will ensure that 
the appropriate compensation activities will be invoked for 
those activities that already did take place. 

Order Transaction = [ ProcessOrder ] 

ProcessOrder = (AcceptOrder -r RestockOrder) ; FulfillOrder 
FulfillOrder = BookCourier -5- CancelCourier \\ 
PackOrder | 

CreditCheck ; (Ok; SKIPP 

□ NotOk ; THROWW ) 
PackOrder = \\i 6 Items • (Packltem(i) -j- Unpackltem(i)) 

Fig. 2. Warehouse order processing 

III. Semantic Models 

This section briefly outlines the trace and the operational 
semantics of cCSP. 

A. Trace Semantics 

A trace of a process records the history of behaviour up to 
some point. We show the operators on traces which are then 
lifted to operators on set of traces. Traces considered for cCSP 
are non-empty sets. 

The trace of a standard process is of the form s(u>) where 
s G S* (S is alphabet of normal events) and w 6 U 
(O = {/, !, ?}), which means all traces end with any of the 
events in il, which is called a terminal event. The terminal 
events represent the termination of a process. Successful 
termination is shown by a /. Termination by either throwing 
or yielding an interrupt is shown by ! or ? respectively. In 
sequential composition [p ; q), the concatenated observable 
traces p and q, only when p terminates successfully,(ends 
with /), otherwise the trace is only p. The traces of two 
parallel processes are p(oj) ||<?(w') which corresponds to the set 
(p HI q), the possible interleaving of traces of both processes 
and followed by cj&u/, the synchronisation of oj and oj' . The 
trace semantics of standard processes are shown in Fig. [3] 

Compensable processes are comprised of forward and com- 
pensation behaviour. The traces of compensable processes are 
of pair of traces of the form (s(lo) ,s' (uj 1 )), where s(oj) is the 
forward behaviour and s'(uj') is the compensation behaviour. 
In sequential composition, the forward traces correspond to 
the original forward behaviour and followed by the traces of 
the compensation. Traces of parallel composition are defined 
as the interleaving of forward traced and then follows the 
interleaving of compensation. The traces of a compensation 
pair are the traces of both of the processes of the pair when 
the forward process (P) terminate with a (/), otherwise the 
traces of the pair are the traces of the forward process followed 
by only a (/). The traces of a transaction block are only the 
traces of compensable processes inside the block when the 
process terminates with a (/), otherwise when the forward 
process inside the block terminates with a (!) the traces of 
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Atomic Action: For A € £ T(A) = {(A, /)} 
Basic Processes: 

T(SKIP) = {</)}, T (THROW) = {(\)}, T(YIELD) = {(?), (/)} 
Sequential Composition: 

p(/) ; g = p.q, and p(ui) ; g = where u ^ / 

r(P;g) = { P ; ? | P £PAg£0) 
Parallel Composition: 

|| g(u/) = {r(ujhu)') r G (p HI g)} where 
T(P||Q) = {r | r G (p||g) Ap G P A g G Q} 
Interrupt Handler: 

p(l) > q = p.q and p(u) > q = p(u)) where u ^ ! 
T(P >Q) = {p>q\pePAqeQ} 
Choice: T(PUQ) = T(P) U T(Q) 
Transaction Block: 

[p{l),p'] = p.p' and \p(S),p'}=p(S) 
T([PP]) = {[p,p']\(p,p')ePP} 



u 


! ! ! ? ? / 


U}' 


! ? / ? / / 


Lohu)' 


! ! ! ? ? / 



Fig. 3. Trace semantics of standard processes 



the block are the traces of the forward process followed by 
the traces of the compensation. Fig. [4] outlines the traces of 
compensable processes. 



Basic Processes: 

T(SKIPP) = T(SKIP + SKIP) = {((?), {/)), ({/), {/))} 
T(THROWW) = T '(THROW 'W H- SKIP) = {«?),(/»,«!>,{/»} 
T( YIELD D) = T( YIELD ^ SKIP) = {({?), </))} 
Compensation Pair: 

-r g = g) and g = {/)) where u / 

T(P - Q) = {({?), (/))} U{p-g| P GPAgG<2} 
Sequential Composition: 
(p{/>,p') ; (g, g') = ( M , g' ; p') 
(p(uj).p') ; (g, g') = (p(w),p') where w ^ / 
T(PP ; QQ) = {pp ;qq\ppePP/\qqG QQ} 
Parallel Composition: 

(p.p') IK?. ?') = {(»-,»•') I r e (p|[?) A r' g (p'||g')} 
r(PP||QQ) = {rr | rr G (pp||gg) A pp G PP A gg G QQ} 
Choice: T(PPDPQ) = T(PP) U T(QQ) 



Fig. 4. Trace semantics of compensable processes 

The following healthiness conditions declare that processes 
consist of some terminating or interrupting behaviour which 
ensures that the traces of processes are non-empty: 

. p{S) e T{P) or p{ ! ) e T(P), for some p 

• (p(S),p') G T(PP) or (p( ! ),/) e T(PP), for some 

B. Operational Semantics 

By using labelled transition systems 0, the operational 
semantics specifies the relation between states of a program. 
Two types of transitions are define to present the transition 
relation of process terms: normal and terminal. A normal 
transition is defined by a normal event (a e S) and a terminal 
transition is defined by a terminal event (w G f2) . 



For a standard process, a normal transition makes the 
transition of a process term from one state to its another state 
(P to P'). The terminal transition, on the other hand terminates 
a standard process to a null process (0): 



P' 







In sequential composition (P ; Q), the process Q can start 
only when the process P terminates successfully (with /). If 
P terminates with ! or ? the process Q will not start. In par- 
allel composition each process can evolve independently and 
processes synchronise only on terminal events. The transition 
rules for standard processes are outlined in Fig. [5] 



SKIP (A € E) 

-4 0, YILED — + 0, YIELD 



Atomic Action: A — 
Basic Processes: 
SKIP ^ 0, THROW 
Sequential Composition: 

p p> p^)0aq Ae' 

(P ; (?) A (/" : (?) (P ; Q) -A 0' 

Parallel Composition: 



P -=-i 

(P\Q)- 



Q' 



•OA 



PIIQ-^F'IIQ P||Q- 
p Ap' 

Choice: 

Interrupt handler: 

p JL, pr 
P > D> Q 

Transaction Block: 

PP A PP' PP ■ 



■pile' pii<5"-^i 

pn q -A Q' 

' — > a C Ay 
P > Q -A <3' 

> p ppApap 



OJ 


III? 


? ✓ 


w' 


! ? / ? 


// 


w&w' 


ill? 


? / 



P > 
A P' 



[PP1 



[PP'1 



[pp] 



■ 



[PP]. 



Fig. 5. Operational semantics of standard processes 

For compensable processes, the normal transitions are same 
as standard processes. However, the terminal events terminate 
the forward behaviour of compensable processes, additionally, 
the compensation are stored for future reference. 

PP -A PP 1 , PP ^P (P is the compensation) 

In sequential composition (PP ; QQ), when PP terminates, 
its compensation (P) is stored and QQ starts to execute. In 
this scenario, we get an auxiliary construct {(QQ,P)) where 
the processes have no particular operational relation between 
them. After termination of the process QQ, its compensation 
(0 is accumulated in front of P i.e., [Q ; P). In the parallel 
composition, the main difference with the standard processes 
is that after termination of the forward behaviour the com- 
pensations are accumulated in parallel. The transition rules of 
compensable processes are summarised in Fig. [6] 

A non-terminal event changes the state of the process inside 
the block. Successful completion of the forward process inside 
the block means completion of the whole block, but throwing 
a interrupt by the compensable process inside the block results 
the compensation to run. In compensation pair, after successful 
completion of the forward behaviour the compensation will be 
stored for future use, however, unsuccessful termination, i.e, 
terminates by ! or ? results an empty compensation (Fig. |5j. 
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QQ QQ' 



Choice: 

PP PP' 
PPOQQ -±> PP' PPDQQ - 
Sequential Composition: 



PP 



QQ' PPUQQ- 



QQ^Q 

PPUQQ^Q 



PP PP' 


PP A P AC, 


>Q^ Q 


pp ^ p 






PP ; QQ ^ PP' ; QQ 


PP ; QQ — 


> Q ; P 


PP ; QQ 


p 


PP -AfAQaA QQ' 


QQ 


QQ' 


QQ 


Q 




PP; QQ (QQ'.P) 


<QQ.p}^ 


(QQ',P) 


<QQ,P> 


Q 


: P 


Parallel Composition: 












PP PP' 


QQ — 


QQ' 


PP ^> P A Q 


Q^Q 


PP || PP' || QQ 


pp || QQ 


pp II QQ' 


pp II QQ * 




•> II 



Compensation Pair: 

P^P' P^>0 P 

P+Q-^P' + Q P - Q A Q P~Tq^SKIP 



Fig. 6. Operational semantics of compensable processes 



IV. Relating Semantic Models 

In this section we describe the steps to derive a relationship 
between the two semantic models of cCSP. We follow a 
systematic approach to derive the relationship where traces 
are first extracted from the transition rules and prove that the 
extracted traces correspond to the original trace definition. The 
steps of deriving the semantic relation are shown in Fig. [7] 



cCSP Semantics 



Operational 
Semantics 



traces extracted from operational rules 



Derived 
Traces 



induction over traces 



Trace 
Semantics 



Correspondence between 
derived trace and original trace 
for each term of cCSP 



structural induction over terms 



Establish correspondence 
between semantic models 



Fig. 7. Steps to derive relationship between semantic models 

The operational semantics leads to lifted transition relations 
labelled by sequences of events. This is defined recursively. 
For a standard process P, 



P^Q = 



P^Q 
3P' P - 



P' A P' 



Q 



The derived traces of a standard process P is defined as DT(P). 
Let t S DT(P), then we get the following definition, 



Compensable processes have both forward and compensa- 
tion behaviour. A compensable process is defined as a pair 
of traces. Hence, it is required to extract traces from both 
forward and compensation behaviour. The forward behaviour 
of a compensable process PP is defined as follows: 

PP R (t ends with u) 

where t is the trace of the forward behaviour. R is the attached 
compensation. The behaviour of compensation is similar to 
standard processes and by reusing that we get the following 
definition: 



PP^O 



3RPP 



R A R 







where t' is the trace of the compensation. For a compensable 
process PP, the derived traces DT(PP) is defined as follows: 



(f,f') £DT(PP) 



PP 







By using the definition of derived traces and the original 
traces we state the following theorem to define the relationship 
between the semantic models, 

Theorem 1: For any standard process term P, where P ^ 

DT(P) = T(P) 

For any compensable process terms PP, where PP ^ and 
does not contain the term (PP,P), 

DT(PP) = T(PP) 

Traces are extracted for each term of the language, and its 
correspondence is shown with the corresponding traces in the 
trace semantics. Assume P and Q are standard process terms, 
then for all the operators, we prove that 



t S DT(P ® Q) 



teT(P® Q) 



(2) 



For each such operator <g>, the proof is performed by induction 
over traces. In the proof we assume that, DT(P) = T(P) and 
DT(Q) = 7X2). 

We follow similar style for compensable processes. Assum- 
ing DT(PP) = T(PP) and DT(QQ) = T(QQ) we show that, 



0, e DT{PP ® QQ) 



(t,t')eT(PP®QQ) (3) 



In the following sections we outline the proof steps showing 
the correspondence in (0 and (01 for both standard and 
compensable process terms. 

A. Standard Processes 

Sequential Composition: By using (fJJ the relationship be- 
tween the semantic models is derived by showing that, 

t S DT{P ;Q) = teT(P;Q) 

From ([T} we get the derived traces of the sequential compo- 
sition, 



t e DT(P) 







(1) 



t e DT(P ; Q) 



(P;Q) 
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We also expand the definition of trace semantics as follows: 
t G T(P ; Q) 
= 3p,q-t=(p;q) A p€ T(P) A q£ T(Q) 
= 3p,q ■ t = {p ; q) A p 6 DP(P) A q G £>P(g) 

= 3 Pl q-t = (p ; 9 ) A P AO A Q -A 

Finally, from the above definitions of traces, the following 
lemma is formulated for the sequential composition of stan- 
dard processes: 

Lemma 1: 

The lemma is proved by applying induction over the trace t, 
where t = (oj) is considered as the base case, and t — (a)t is 
considered as the inductive case. To support the proof of the 
lemma, two equations are derived from the transition rules. 
These derived equations are based on the event by which the 
transition rules are defined: 

/ 



o 



V 



R = 



3P' P AP' A R = (P' ; Q) 



A Q 



R 



Proof: 
Basic step: t = 

A2)Ho 



(f;fi)A0 

"From transition rules sequential composition" 



= P 
V P 



-> o a g Ao 

A to ± / 



(4) 
(5) 



From Q 



pAo a q^o 

= 3p,q- p= (S) A q = (u) A (w) = (p ; q) 

A PAflAgAo 

= 3p,9' (u) = (p \q) A p = (/) 



A 

From (O 



A 



A Q 







pAo A w^/ 

3p,q-p = (w) A lo ^ S A (u) = (p ; q) 



pAo a g -A o 



= (w) = (p ; ?) A {/> 

A PAO A 2A0 
Therefore, for t = (lo) from I© and (0 

3p,q-(u)) = {p;q) A p = </> 
AP AO A g^O 
V 3p,q-{u) = (p;q) A p ^ {/) 



AP-^0 A Q 







Inductive step: f = (a)f 
P;g^i0 = 3R(P;Q) 



R A R 



"From operational rules" 

3P' ■ P —A P' A (P' ; Q) —A (6) 
V3Q'-P -A A g Ag' A Q' -A (7) 

From (O 

BP' • P AP' A (P' ; G) -A 
= "Inductive hypothesis" 

3P 1 ■ pAP a r = iV ;«) 
a p'Ao a eAo 

= "Combining existential quantifications" 

3p',q- t=(p' ;q) A P^O A g ^A 
= "Using trace rule (a)t = (a)(p' ; q) = ((a)p') ; q" 

3p',q - (a)t = ((a)p' ;?)AP^OA2A0 
= 3p,9'P= (a)p' A (a)t=(p;q) 
A P 
From (O 



A PAO A e ^Ao 



ae'-P^Ao a g Ag' a e'^o 



3/>,9-(w> = (p ; A PAO A Q 



= fAo a e^io 

= 3/?,g • p = (/) A q = (a)t A (a)t — (p ; q) 
A PAO A g^O 
= 3/>,g- (a)t = (p ;q) A p = (/) 
A PAO A g^O 
Therefore for f = (a)f, from @V0 

3p,q-p = (a)p' A (a)t = (p;«) A PAo A 

V 3p,q ■ p = (/) A (a)f = (jp ; 9) APAO A Q - 
= "Combining existential quantifications" 

3p,? • (p = (/) V p = (a)p') A (a)t = (p ; q) 
A pAo A Q^O 
= 3p,q- (a)t =(p; ? )APA0AeA0 



This completes the proof of the lemma. We follow the same 
approach to prove other lemmas in the rest of the paper. 
Parallel Composition: The parallel composition of two 
processes is defined to be the interleaving of their observ- 
able events followed by the synchronisation of their terminal 
events. For example, considering asynchronous actions, A \\ B 
can execute A followed by B or B followed by A. For traces 
p and q we write p 1 1 1 q to denote the set of interleaving of p 
and q and it follows the following definition: 

e/Alk = p = a q = () 

(a)t € p \\\ q = 3p'-p=(a)p' A t £ p' \\\ q 
V 3q' ■ q = (a)q' A t £ p \\ \ q' 
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By following similar steps as sequential composition, we 
define the following lemma for parallel composition: 
Lemma 2: 



(P II Q) 



= 3p,q- te(p\\q) A P -A A Q ^ 



We derive two supporting equation from the transition rules 
of parallel composition: 

P || Q -A R = P -A P' A R = P' HQ 
V Q^Q' A R = P || Q' 

p ii e^o 



P A Q ^A A w G wl&w2 



Proof: The proof of the base case is trivial and omitted 
from the presentation. The inductive case is described here: 

{ p ii e) ^o 

= 3R ■ (P \\ Q) -^A R A R -A 
= "Using the operational rules" 

3P'P -AP' A (P' -A 

v 3 2' • 2 -A 2' a (p||q')-Ao 

= "Inductive hypothesis" 

3P' ■ P^P' A Ey, ? . f G (// || ?) 

P'Ao A Q -A 
3fi'- Q^Q' A 3p,q'-tE(p \\q') 


"Combining existential quantifications" 

V,<z- A P^O A e^o 



A 
V 



= 3p,2-P = (ay A f G {p' \\q) 

AP AO A Q ^ 
V 3p,q ■ q = {a)q' A t G (p || q') 

AP AO A Q ^ 
= "Combining" 

3p,? • (p = (a)p' A f G (p' || <?) V ? = (a)q' 

A ?G(p || q')) APAOAOAO 
= "By the definition the interleaving of traces" 

3p,q-{a)t e (p \\q) A P -A A Q -A 



P. Compensable Processes 

Sequential Composition: For compensable processes PP 
and QQ, let (f , t') G DT(PP ; QQ) and according to trace 
derivation rule we get 



(f, t') G DT(PP ; QQ) = 3R{PP - QQ) ^R AR 







The following lemma is stated to define the relationship for 
the lifted forward behaviour of sequential composition of 
compensable processes: 



Lemma 3: 

(PP;QQ)^R = 3P,Q,p,q-t = (p ; q) 
A PP -A P A QQ -A Q 
A R = COND(last(p) = S, {Q ; P),P) 
WTzere, COND(true,el,e2) = el 
COND(false,el,e2) = e2 

COND expression is used to state that when process PP 
terminates successfully (terminate by /), compensation from 
both PP and QQ are accumulated in reverse order, otherwise 
only compensation from PP is stored. The following equations 
are derived from the transition rules to support the proof of 
the above lemma. 



(pp ; QQ) -A pp = 



V 
A 



(PP ; QQ) -A R = 



PP -A PP' A RR = (PP' ; QQ) 
PP A P A QQ^ QQ' 

R=(QQ',P) 

PP ^ P A QQ ^ Q A R = {Q ;P) 
PPAPAw//Afi=P 



In the inductive case of the lemma we get the following 
intermediate step involving the auxiliary construct (QQ,P). 



PP;QQ^R 



3RR ■ PP ;QQ -A RR A RR -A R 
3PP' ■ PP -A PP' A PP' ; QQ -A R 



V 
A 



3P,QQ' ■ PP- 
(QQ'.P)^R 



P A QQ^QQ' 



(8) 



To deal with this we need another lemma which will support 
the removal of auxiliary construct in dHJ. This lemma considers 
the situation where the forward behaviour of the first process 
of sequential composition is terminated with / and its com- 
pensation is stored and the second process of the composition 
has started. Here to mention that t in dS) above is a complete 
trace. 

Lemma 4: 

(QQ,P) -A R = 3Q ■ QQ -A Q A R = (Q \P) 

The lemma is proved by induction over traces. By using this 
lemma, we prove Lemma [3] by following the similar approach 
of applying induction over traces. 

Parallel Composition:Let (t,f) G DT(PP || QQ) By using 
the trace derivation rule we get, 



(t, t') 6 DT(PP || QQ) = 3R ■ (PP || QQ) -A PAP 







We then define the following lemma to establish the seman- 
tic correspondence for parallel composition of compensable 
processes: 
Lgtvityiq. 5 * 

(PP II QQ) —> R = 3P,Q,p,q - t&(p\\q) 

A PP AP A QQ -A P A P = P Jig 
The lemma is proved by using induction over traces similar 
to other lemmas. 
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Compensation Pair: A compensation pair {P 4- Q) consists 
of two standard processes: a standard process (P) and its 
compensation (Q). The semantics of compensation pair is 
defined in such a way that the behaviour of the compensation 
Q is augmented only with successfully completed forward 
behaviour of P, otherwise, the compensation is empty. For 
a compensation pair, we show that 

(t,t')€DT(P + Q) = ( t ,t')€T{P + Q) 

To prove the semantic correspondence between the semantics 
model, we state the following lemma: 
Lemma 6: 

(P-e)^O = 3p,q-(t,/) = (p+Q) APAOAg^O 

The lemma is proved by induction as previous lemmas. To 
support the inductive proof, the following two equations are 
derived from the transitions rules shown earlier, 

(P + Q) -^R = F^0AS = 2 

V P^O A w ^ / A R = SKIP 
(P 4 Q) -A RR = P P' A RR = P' 

Unlike the lemmas defined earlier for compensable processes, 
Lemma [6] includes the traces of both forward and compensa- 
tion behaviour. The following trace rules for the compensation 
pair are used in the proof of the lamma: 

when />=/>'(/)(», = (p'{S) - q) = (p,q) 
when/7 = p'(u>) A./ /(*, t') = (p» - q) = (p, (/)) 

Transaction Block: Transaction block is a standard process. 
We let t e DT([PP}) and by following the trace derivation rule 
we get 

t€ DT([PP]) = [PP]-^0 

The semantic correspondence is then derived by proving the 
following lemma: 
Lemma 7: 

[PP] -A = 3p,p' ■ t = \p,p'} A PP^AO 

The operational semantics provide us the following equations 

to support the proof of the above lemma. 

[PP]^R = PP PP' A R = [PP'} 

V PP — > P A P P' A R = P' 

[pp}^Uo = ppApapAo 
v ppAp a pAo 

The block operator runs the compensation of a terminating 
forward behaviour and discards the compensation of success- 
fully completed forward behaviour. It removes the traces of 
an yielding forward behaviour. 

We left two operators from the correspondence proof pre- 
sented here. First one is the choice operator (P OQ). The trace 
of choice is the union of their traces and the operational rules 
shows that either process (P or Q) can evolve independently. 
Correspondence proof of this operator is trivial. Another 



operator that was left is interrupt handler (P t> Q). It is 
quite similar to standard sequential composition except that 
the flow of control from the first to the second process is 
caused by a throw (!) rather than a / and hence, showing its 
correspondence proof would be repetitive. 

V. Lessons Learned 

We have adopted a systematic approach to show the corre- 
spondence between the two semantic models of cCSP. Traces 
are derived from the operational rules and then applying 
induction over the traces we showed the correspondence. Due 
to the way of defining operational rules the trace derivation 
was done easily. We used labelled transition system to define 
the operational rules. In [6| operational rules are defined for a 
similar language as ours but same symbol is used to define the 
labels of different transition rules. However, we used special 
symbols for different kinds of transitions. Transition between 
states are caused by two kinds of events: normal and terminal 
and we used these events as labels in our transition rules. 
The advantage of this approach of defining labels is that these 
labels are the traces of the transition and we can then derive 
these traces from the transition rules. 

The trace operators play a significant role in defining the 
lemmas as well as in the correspondence proofs. The operators 
are used both at the trace levels and at the process levels. All 
the lemmas defined in this chapter have a common pattern 
applicable to both standard and compensable processes. For 
example, for standard processes P and Q, and their traces p 
and q, the lemmas for all the operators are defined as follows: 

{P®Q)-^0 = 3p,q-t = (p®q) A P -A A Q -U 
(for parallel operator use t E (p ® q) instead of t = (p ® q)) 

Similar definitions are also given for the forward behaviour 
of compensable processes. The use of operators at both trace 
and process levels allow us to apply appropriate rules for 
the operators (rules for terminal and observable events from 
operational and trace semantics). 

The correspondence was proved by using structural induc- 
tion. First, the induction was applied on process terms of 
the language and then on the derived traces. The lower level 
induction which is on traces support the induction on upper 
level which is on process terms 

VI. Related Work 

The semantic correspondence presented here is based on the 
technique of applying structural induction. A similar approach 
is also applied by S. Schneider [7|, where an equivalence 
relation was established between the operational and denota- 
tional semantics of timed CSP [8|[9|. Operational rules are 
defined for timed CSP and then timed traces and refusals 
are extracted from the transition rules of a program, and it 
is shown that the pertinent information corresponds to the 
semantics obtained from the denotational semantic function. 
By applying structural induction over the terms of timed CSP, 
it was proved that the behaviour of the transition system is 
identical to those provided by the denotational semantics. 
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A similar problem was also investigated in iflOl . where a 
metric structure was employed to relate the operational and 
denotational models of a given language. In order to relate 
the semantic models it was proved that the two models co- 
incide. The denotational models were extended and structural 
induction was applied over the terms of the language to relate 
the semantic models. 

Other than using induction, Hoare and He ifTTl presented the 
idea of unifying different programming paradigms and showed 
how to derive operational semantics from its denotational 
presentation of a sequential language. They derive algebraic 
laws from the denotational definition and then derive the 
operational semantics from the algebraic laws. Similar to our 
work, Huibiao et al. [12| derived denotational semantics from 
operational semantics for a subset of Verilog [ 13']. However the 
derivation was done in a different way than our method where 
the authors defined transitional condition and phase semantics 
from the operational semantics. The denotational semantics 
are derived from the sequential composition of the phase 
semantics. The authors also derived operational semantics 
from denotational semantics |14|. 

Unlike our approach, the unification between the two se- 
mantics was shown in lfT31 by extending the operational 
semantics to incorporate the denotational properties. The 
equivalence was shown for a language having simple models 
without any support for concurrency. Similar problem was also 
investigated in [16| for a simple sequential language, which 
support recursion and synchronisation in the form of inter- 
leaving. The relation between operational and denotational 
semantics is obtained via an intermediate semantics. 

VII. Concluding Remarks 

It is of great importance to have the description of both 
operational and denotational semantics. Having both of the 
semantics we need to establish a relationship between these 
two. Demonstrating the relationship between these two seman- 
tics of the same language ensures the consistency of the whole 
semantic description of the language. 

The main contribution of this paper is to show the corre- 
spondence between the operational semantics and the trace 
semantics of a subset of cCSP language. The correspondence 
is shown by deriving the traces from the operational rules and 
then applying the induction over the derived traces. Two level 
of induction is applied. In one level induction is applied over 
the operational rules and in the next level induction is applied 
over the derived traces. 

The correspondence shown here are completely done by 
hand which is error prone and there are strong possibilities to 
miss some of the important parts during the proof. As part of 
the future work our goal is to use an automated/mechanized 
prover which will help us to use the similar approach that we 
followed here i.e, mathematical induction, and at the same time 
prove the theorems automatically. Among several tools we are 
currently using PVS (Prototype Verification System) [17| for 
our purpose. The specification language of PVS is based on 
classical, typed, high order logic and contains the constructs 



intended to ease the natural development of specification. The 
PVS proof checker is interactive and provides powerful basic 
commands and a mechanism for building re-usable strategies 
based on these. 

The parallel operator of cCSP does not support synchroniza- 
tion on normal events. Synchronization of events is significant 
for the development of a language. Currently we are working 
on adding synchronization to cCSP. Adding synchronization 
and then using mechanized theorem prover for showing the 
correspondence will strengthen the formal foundation of the 
language. 

References 

[1] M. Butler, T. Hoare, and C. Ferreira, "A trace semactics for long-running 
transaction," in Proceedings of 25 Years ofCSP, ser. LNCS, A. Abdallah, 
C. Jones, and J. Sanders, Eds., vol. 3525. London: Springer- Verlag, 
2004. 

[2] C. Hoare, Communicating Sequential Process. Prentice Hall, 1985. 

[3] J. Gray and A. Reuter, Transaction Processing : Concepts and Tech- 
niques. Morgan Kaufmann Publishers, 1993. 

[4] M. Butler and S. Ripon, "Executable semantics for compensating CSP," 
in WS-FM 2005, ser. LNCS, M. Bravetti, L. Kloul, and G. Zavattaro, 
Eds., vol. 3670. Versailles, France: Springer- Verlag, September 1-3 
2005, pp. 243-256. 

[5] G. D. Plotkin, "A structural approach to operational semantics." Aarhus 
University, Computer Science Department, Tech. Rep. DAIMI FN- 1 9, 
September 1981. 

[6] R. Bruni, H. Melgratti, and U. Montanari, "Theoretical foundations for 
compensations in flow composition languages," in POPL, 12-14 January 
2005, pp. 209-220. 
[7] S. Schneider, "An operational semantics for timed CSP," Journal of 

Information and computing, vol. 116, no. 2, pp. 193-213, 1995. 
[8] G. M. Reed and A. W. Roscoe, "A timed model for communicating 
sequential processes," Theoretical Computer Science, vol. 58, no. 1-3, 
pp. 249-261, June 1988. 
[9] S. Schneider, J. Davies, D. M. Jackson, G. M. Reed, J. N. Reed, and 
A. W. Roscoe, "Timed CSP: Theory and practice," in REX Workshop, 
ser. LNCS, vol. 600, 1991, pp. 640-675. 

[10] F. van Breugel, "An introduction to metric semantics: operational and 
denotational models for programming and specification languages," 
Theoretical Computer Science, vol. 258, no. 1-2, pp. 1-98, May 2001. 

[11] C. Hoare and H. Jifeng, Unifying Theories of Programming. Prentice 
Hall International Series in Computer Science, 1998. 

[12] H. Zhu, J. P. Bowen, and J. He, "From operational semantics to 
denotational semantics for Verilog," in CHARME 2001, ser. LNCS, 
T. Margaria and T. F. Melham, Eds., vol. 2144, 2001, pp. 449-466. 

[13] M. Gordon, "The semantic challenge of Verilog HDL," in Proceedings 
of the 10th Annual IEEE Symposium on Logic in Computer Science 
(L1CS '95: ). IEEE Computer Society, June 1995, pp. 136-145. 

[14] H. Zhu, J. P. Bowen, and J. He, "Deriving operational semantics 
from denotational semantics for Verilog," in 8th Asia-Pacific Software 
Engineering Conference (APSEC 2001 ). IEEE Computer Society, 4-7 
Dec 2001, pp. 177 - 184. 

[15] S. F. Smith, "From operational to denotational semantics," in Proceed- 
ings of the 7th International Conference on Mathematical Foundations 
of Programming Semantics, ser. LNCS, vol. 598, 1992, pp. 54—76. 

[16] J. -J. C. Meyer and E. Vink, On Relating Denotational and Operational 
Semantics for Programming Languages with Recursion and Concur- 
rency, ser. Open Problems in Topology. Elsevier, 1990, ch. 24, pp. 
387^406. 

[17] S. Owre, J. Rushby, and N. Shankar, "PVS: A Prototype Verification 
System," in 11th International Conference on Automated Deduction 
(CADE), ser. Lecture Notes in Artificial Intelligence, D. Kapur, Ed., 
vol. 607. Springer- Verlag, June 1992, pp. 748-752. 



54 



http://sites.google.com/site/ijcsis/ 
ISSN 1947-5500 



